HIPAA Compliant Backups

Hopefully, someone out there can help me better understand these HIPAA regulations with Data Backups.

I understand that they require “Data at Rest Encryption”, but isn’t it enough that the workstations/servers are encrypted before they are sent to the NAS, and then offloaded to a proper cloud backup provider like Backblaze B2 over an encrypted session or am I missing something here? I RTFM and a lot, and I have more questions than I do answers. My scenario would be as such

<workstation/server + Encrypted on the fly backup> --> ZFS Based NAS --> B2 offsite


<workstation/server + Encrypted on the fly backup> --> ZFS Based NAS --> Double Encrypted by Duplicati -> B2 offsite

Either scenario, Encrypted data at rest shouldn’t matter to me if it was pre-encrypted before it leaves the workstation/server and transmitted to the NAS and then remotely over a secure tunnel or am I missing something??

I feel like my brain is melting through my pores at this point. I am looking forward to a “dummies” version of a reply. Thank you in Advance!

1 Like

You need to encrypt it prior to leaving the system that it is backing up. That way all the data on the “At Rest” storage systems is locked down separate from the key.

1 Like

@LTS_Tom - so my proposed scenarios are good?

Think chain of custody encrypt data on local store > transmit encrypted data over encrypted link >data at rest on remote data store is with original encryption. Keys remain safe at your location. If you are using FreNAS or TrueNAS as your local data store smart compression should be enabled it makes the encryption more difficult to hack should the site or comm link be compromised.

1 Like

Thanks @LTS_Tom and @g-aitc for the responses. I appreciate it!